Australian software as a service provider PageUp has released details of a possible data breach that took place late last month.
The company, which provides HR software, says it has more than 2.6 million users in 190 countries
A statement posted on PageUp’s website by the company’s CEO and co-founder, Karen Cariss, said the company “detected unusual activity on its IT infrastructure” on 23 May.
“On May 28, 2018 our investigations revealed that we have some indicators that client data may have been compromised, a forensic investigation with assistance from an independent 3rd party is currently ongoing,” the statement said.
The PageUp CEO said the company is “working together with international law enforcement, government authorities and independent security experts to fully investigate the matter”.
“There is no evidence that there is still an active threat, and the jobs website can continue to be used. All client user and candidate passwords in our database are hashed using bcrypt and salted, however, out of an abundance of caution, we suggest users change their password,” Cariss said.
PageUp’s customers have included Linfox, Tatts Group, Michael Hill, Lindt and Australia Post.
Australia Post confirmed that it had used the company's SaaS offering since October 2016.
“At this stage, PageUp is yet to determine if any personal information of applicants for Australia Post roles has been compromised,” the organisation said in a statement.
“We are writing to all employees whose applications have come through the system since we began using PageUp to let them know how this issue may affect them.”
Australia Post has ceased using PageUp's systems to process job applications, it said, and contacted the company with “a series of specific questions surrounding the privacy impact of this incident”.
“To be clear there is still no evidence that Australia Post Group job applicants’ data has been compromised,” the organisation said.
Telstra said it had suspended use of PageUp.
“We are treating this matter seriously and are taking all necessary action to protect the security of the services provided by the vendor,” Telstra HR chief Alex Badenoch said in a statement.
The telco has put on hold all current recruitment activity that has not been progressed past a written offer, Badenoch said.
An FAQ released by PageUp said that the data could include details such as name and contact details as well as encrypted usernames and passwords.
Employment documents such as contracts and resumes are stored on separate infrastructure.
“We have no evidence that the document storage infrastructure has been compromised,” PageUp said.
The source of the compromise was a “malware infection”.
“The malware has been eradicated from our systems and we have confirmed that our anti-malware signatures can now detect the malware,” PageUp said. “We see no further signs of malicious or unauthorised activity and are confident in this assessment.”
The Office of the Australian Information Commissioner (OAIC) and the UK’s Information Commissioner’s Office have both been given details of the breach. PageUp said it has also been in contact with the Australian Cyber Security Centre and CERT Australia.